Resilience Testing (DORA)

DORA requires financial entities to regularly test the digital operational resilience of their ICT systems. The testing programme ranges from basic vulnerability scanning to advanced threat-led penetration testing (TLPT) for the most systemically important institutions.

Back to Dictionary

What is resilience testing under DORA?

DORA Chapter IV (Articles 24-27) sets out the requirements for digital operational resilience testing. The purpose is to verify that an organisation's ICT systems actually function as intended under pressure -- and to identify weaknesses that could be exploited by attackers.

The testing programme under DORA is tiered: all financial entities must conduct basic tests, but only the most systemically important institutions are obliged to carry out advanced TLPT.

Types of tests

DORA Article 25 specifies that the basic testing programme must include:

Vulnerability assessments and scanning: Systematic identification of known vulnerabilities in systems and applications.
Open-source analyses: Assessment of risks from the use of open-source components.
Network security assessments: Testing of network configurations and access controls.
Gap analyses: Assessment of gaps in security measures.
Physical security reviews: Assessment of physical access security.
Scenario-based tests: Tests based on realistic attack scenarios.
Compatibility tests: Tests of the integrity of security updates and patches.
Performance tests: Tests of system performance under load.
End-to-end tests: Tests of critical functions from user interface to back-end.
Penetration tests: Simulated attacks against specific systems.

Testing frequency and requirements

DORA requires resilience tests to be conducted 'at least once a year' for most test types. Tests must:

Be conducted by internal or external testers with sufficient expertise.
Be thoroughly documented with findings and remediation plans.
Have results communicated to management.
Ensure identified weaknesses are prioritised and addressed.

Testing on live systems: DORA emphasises that tests -- particularly TLPT -- must be conducted on live production systems, not only test environments. This is a significant tightening compared to traditional practice.

Frequently Asked Questions about Resilience Testing (DORA)

What is resilience testing under DORA?

Resilience testing under DORA is the systematic process by which financial entities test the robustness of their ICT systems. It includes vulnerability scanning, scenario-based tests, penetration tests and, for significant entities, threat-led penetration testing (TLPT).

What is the minimum frequency for resilience tests under DORA?

DORA requires basic resilience tests to be conducted at least once a year. TLPT must be carried out at least every three years for the financial entities that are obliged to do so.

Who must carry out TLPT under DORA?

TLPT is mandatory for the most systemically important financial institutions, as identified by competent authorities. Smaller entities are not required to carry out TLPT but must still conduct the basic testing programme.

Can resilience tests be performed by internal staff?

Yes, basic resilience tests may be performed by internal staff, provided they have sufficient expertise and independence. However, TLPT must be carried out by external testers who meet specific qualification requirements set out in DORA.

Must resilience tests be conducted on production systems?

DORA emphasises that tests, particularly TLPT, should be conducted on live production systems to provide a realistic assessment of resilience. This is a significant departure from the common practice of testing only in isolated environments.